Various protocols exist for establishing common keys between a pair of entities connected within a data communication system or for transporting keys between such entities. Many of theses protocols are based upon the fundamental Diffie-Hellman protocol in which a piece of information private to one of the correspondents is combined with public information from the other correspondent to arrive at a common key. The protocol known as the MQV protocol after the inventors Menezes, Qu and Vanstone and exemplified in the PCT application WO 98/18234, is recognized as one of the most efficient of known authenticated Diffie-Hellman protocols that use public key authentication. It is recognized as offering superior performance whilst inherently possessing excellent security properties. As a result, MQV has been widely standardized and has recently been chosen by the NSA as the key exchange mechanism underlying the next generation of cryptography to protect the United States government information.
Proposals have been made to modify the MQV protocol to implement a variation of the protocol. Whilst these proposals have been made to address what are perceived as potential flaws in the underlying MQV concept, further examination has shown that such flaws do not exist and that the proposed modifications, contrary to the assumptions made by the proponents, themselves introduce additional security risks.
It is therefore an object of the present invention to obviate or mitigate the above disadvantages.
In general terms, the present invention provides a key agreement protocol in which a signature component of one correspondent includes a hash of the public key of the one correspondent and the identity of the intended recipient. During the exchange of information, the validity of at least one of the public keys used in the exchange is determined. The resultant shared key may also be checked for its validity.